Watch Out - Hard To Detect Wordpress Hacking | Warrior Forum - The #1 Digital Marketing Forum & Marketplace

13 years ago

Yeah. My site was hacked a month ago, and a lot of (84, to be precise) URLs in the format:

site.com/index.php?pid=XX&id=XX

were created.

When I checked, I found that the hacker used xRumer to blast those URLs to 33k forums and spammed them to hell. All my ranks were dominated by these URLs.

I had to look into my DB to find the malicious code, and fix it.

But still, my site is shows the "This site may be compromised" link underneath it in Google.

Thanks

Signature

SafeSpokes
Penalty Safe, Long Term, 100% Whitehat Backlinks
Love your site? Then check out SafeSpokes!

~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_

karan996@irchiver.com karan997@irchiver.com

{{ DiscussionBoard.errors[4532964].message }}

Chris Paterson

13 years ago

Interesting and scary at the same time. Any preventative measures that anyone recommends?

Thanks

{{ DiscussionBoard.errors[4533077].message }}

Istvan Horvath

13 years ago

Originally Posted by jamawebinc

This means your .htaccess file has been altered.

it is recommended to block all sites in this range - 91.220.0.0/24 - in your htaccess file

Here's an article that covers this more

My problem with this post and the quoted blog post.

None of them gives explanation WHY does it happen; i.e. the "alteration" of the .htaccess file. (I have a suspicion but need to investigate)

Instead of blocking certain range of IPs the solution should focus on HOW to secure the .htaccess file.

P.S. OK, did some reading...

First, Open your FTP client and make sure your .htaccess file's permissions are 644 or lower. Reminder: many people make the file "world writable" when setting up the nice permalinks and never change it back!

Protect the htaccess file itself, by adding this to it:

Code:

<Files .htaccess>
 order allow,deny
 deny from all
</Files>

[ 9 ] Thanks
4 replies

Signature

{{ DiscussionBoard.errors[4533632].message }}

JohnMcCabe 13 years ago

Istvan, looks like you have a new candidate for the next edition of your excellent WSO...
- [ 1 ] Thanks
{{ DiscussionBoard.errors[4533852].message }}

margocales

13 years ago

To assist a newcomer.

If I change the .htaccess file as you say to 644 instead of 755 will this stop me accessing the blog for outside posting? Will I only be able to post by opening the site?

Thanks
2 replies

{{ DiscussionBoard.errors[4536850].message }}

Jonas B

13 years ago

Originally Posted by margocales

To assist a newcomer.

If I change the .htaccess file as you say to 644 instead of 755 will this stop me accessing the blog for outside posting? Will I only be able to post by opening the site?

Not sure what you mean, but the numbers represent the rights people have to read/write/execute

644 = owner can read/write, groups/other can read
755 = owner can read/write/execute, groups/others can read/execute

so there is no need for execution unless some script tries to execute it obviously

I suggest you read this:http://codex.wordpress.org/Changing_...ss_permissions

HOpe it helps

Thanks

Signature

Proud owner of the most flexible mobile app builder. Check it out at http://bit.ly/hybrica!

Mobile Web Expert & Android Developer

{{ DiscussionBoard.errors[4536904].message }}

Istvan Horvath

13 years ago

Originally Posted by margocales

To assist a newcomer.

If I change the .htaccess file as you say to 644 instead of 755 will this stop me accessing the blog for outside posting? Will I only be able to post by opening the site?

I don't think so.

File permission are just that: who has permissions to do something with THAT file. Having chmod 755 = it is world wide writable, meaning anybody can over-write it. 644 is safe.

Thanks
1 reply

Signature

{{ DiscussionBoard.errors[4536916].message }}

Tashi Mortier

13 years ago

Originally Posted by Istvan Horvath

I don't think so.

File permission are just that: who has permissions to do something with THAT file. Having chmod 755 = it is world wide writable, meaning anybody can over-write it. 644 is safe.

Not correct, unix has three bits for access levels, 2^2 is read (4), 2^1 is write (2) and 2^0 is execute (1).

Add the numbers together 4 + 2 = 6, read and write.

4 + 1 = 5, read and execute.

4 + 2 + 1 = 7, read, write and execute.

Why keep write access on the .htaccess file at all? Just change it to 444.

Directories are a bit different, they need execute rights so your web server is allowed to get into them (otherwise you might geht 403 or 503 errors). With your other files, they don't need to be executed, the webserver reads and parses them.

In my experience there are some common backdoors:

Some security hole in the script itself, keep your script updated.
Too easy passwords - somebody gained admin control to your site
Your computer got hacked/infected and passwords were stolen from FileZilla etc

Make sure you only use scripts and plugins from expert programmers or scary stuff can happen. Most people just think reading a PHP book is enough to sell WordPress plugins. Hello SQL Injection, XSS, CSRF... (look these up in wikipedia

).

Thanks
1 reply

Signature

Want to read my personal blog? Tashi Mortier

{{ DiscussionBoard.errors[4584754].message }}

KylePeters 11 years ago

Originally Posted by Tashi Mortier

Why keep write access on the .htaccess file at all? Just change it to 444.

Yeah! This is a good idea providing that you will not be adding any more plugins that may write to the .htaccess file like redirection script. However, it will give you an error msg., and then you can just go back to your cPanel to temporarily change it back to 644 -- and let it write... and then change it back to 444.

And having said all this --- I read somewhere in this forum that when .htaccess files get hacked -- it usually changes to 444 -- which is weird! Maybe you can elaborate on this?? and if changing to 444 is still a good idea??

Kyle
- Thanks
{{ DiscussionBoard.errors[7667371].message }}

trentonlaura

13 years ago

Originally Posted by Istvan Horvath

My problem with this post and the quoted blog post.

None of them gives explanation WHY does it happen; i.e. the "alteration" of the .htaccess file. (I have a suspicion but need to investigate)

Instead of blocking certain range of IPs the solution should focus on HOW to secure the .htaccess file.

P.S. OK, did some reading...

First, Open your FTP client and make sure your .htaccess file's permissions are 644 or lower. Reminder: many people make the file "world writable" when setting up the nice permalinks and never change it back!

Protect the htaccess file itself, by adding this to it:

Code:

<Files .htaccess>
 order allow,deny
 deny from all
</Files>

What does this code do and does it matter where in the htaccess file it goes? Is this something I should be doing?

Thanks

{{ DiscussionBoard.errors[4584030].message }}

tomfinster 11 years ago
Originally Posted by Istvan Horvath

Protect the htaccess file itself, by adding this to it:

Code:

<Files .htaccess> order allow,deny deny from all </Files>
Hey Istvan,

I was told that if we have Hostgator, then we don't need to protect the htaccess with this code... do you know if this is True? And if so, will it hurt if we add this code as a double layer of protection anyway? Or will it disrupt Hostgator's HTAccess protection?

In Many Thanks!
- Thanks
{{ DiscussionBoard.errors[7670688].message }}

colinph970

13 years ago

as a general rule set CHMOD to 644 for files and 755 for folders......blog still accessible for posting

[ 1 ] Thanks

Signature

WANT TO FIND BARGAIN ITEMS TO SELL AND MAKE HUGE PROFITS? NEW ARBITRAGE SOFTWARE TOOL IS THE ANSWER!

{{ DiscussionBoard.errors[4536909].message }}

SteveJohnson

13 years ago

The question remains - and why I have a real problem with threads titled like this one is - how was write access to the .htaccess file gained?

Odds are about even that WordPress had nothing to do with it, unless the site owner was running a very out-of-date WP version.

ON THE OTHER HAND, some of the early not-so-well-written cloaking plugins were/are ripe for a hacker person because the user input was not properly sanitized and capabilities and intentions weren't checked before the redirect was stored. Some redirect/cloaking plugins made use of redirects written to the .htaccess file itself.

In short, no one can say definitively that "WordPress was hacked!" without further investigation.

Unix filesystem permissions can be a little difficult to understand. The three digits represent the permission level for 3 categories of user: what the owner can do with the file, what the user group can do with the file, and finally what the rest of the world can do with the file.

What makes it even more difficult to understand is that a directory is actually a file, and that file has permissions.

ANYHOW, here's the bottom line: if you're on one of the major hosting companies - HostGator, BlueHost, etc. - you should never need to modify file permissions. The reason is rather complicated, but basically it's because they've allowed PHP to run as 'user' rather than as 'Apache'. The techie details are here: suEXEC Support - Apache HTTP Server

Here's an easy way to tell - if you can install plugins from the Add New link on the plugins page, you should never have to change file or directory permissions for your WordPress site.

[ 1 ] Thanks
1 reply

Signature

The 2nd Amendment, 1789 - The Original Homeland Security.

Gun control means never having to say, "I missed you."

{{ DiscussionBoard.errors[4537153].message }}

weblink29 13 years ago

I had 2 sites hacked in the past. The last time it happened the hacker placed a bank phishing website in one of my folders. I had no idea it was there until I was snooping around my folders one day.

General Consensus was they accessed my server via a php injection attack.

There will always be hackers that attempt to take over websites just to see if they can. There will also be people who try to access your server to run their own promotion from your website remotely. They don't care if your website gets shut down for abuse.

The only way you can beat them is to learn more about hacking than they know. It isn't worth the effort for me. I just try to secure things the best way I can and repair any damage they cause when they do.

I back up my data from my web servers to my hard drive from time to time to make it easier to rebuild a site if it's trashed.
- Thanks
Signature

Nothing to see here folks.....move along.
{{ DiscussionBoard.errors[4537268].message }}

Daniel Rickfold

13 years ago

This Wordpress Vulnerability Affects Over 90%
of WordPress Sites

How? Almost every WordPress theme uses an image resizing utility called TimThumb. The new version of this - called WordThumb has this issue fixed, however most theme developers don't know about this, nor older themes are able to fix this.

This is quite a dangerous vulnerability and YOUR WordPress sight is almost 90% sure to have it, if you're using any custom theme, either bought or free.

This gives the attacker the opportunity to gain access to your server and once inside... do whatever he wants.

HOW TO FIX IT
Check out this blog post that reveals how to fix this or update it to make sure you won't fall victim to this vulnerability again.
Zero Day Vulnerability in many Wordpress Themes | mm

Hope this helps!

Thanks

Signature

Be The Change You Want To See In The World

{{ DiscussionBoard.errors[4584246].message }}

Simon Hall

11 years ago

Its an interesting thread. I have had a similar experience as some others in the past mainly due to not updating Wordpress and the TimThumb issue described earlier. Luckily I was with Hostgator who were fantastic as several of my blogs were hacked/infected on my server at the same time and they ran diagnostics and located all the problems. However it wasn't a good experience by any means.
I cant claim to have anywhere the technical knowledge of some of the other contributors to this discussion but I would say their are a few golden rules to follow .
Use a strong password and avoid an easy username. Keep Themes and plugins up to date to avoid vulnerabilities and install a security plugin like bulletproof-security. This will help manage .htaccess files and folder permissions.
You can also use the plugin wp lockdown to add some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range.

Hope this is of some use.

Thanks
1 reply

{{ DiscussionBoard.errors[7670933].message }}

so11 11 years ago

The file .htaccess is used to enforce access control directives for the directory in which it is present, and can exist for any directory.

Permissions set in this file override those set at an upper level in the directory hierarchy or at the operating system level.

A user who does not have access permissions on file, but has write permission on .htaccess, can change directives in .htaccess to gain write or execute permissions, thus circumventing other access controls.

Hence, this file should be protected from nonroot users who are not a part of the Apache server management.
- Thanks
Signature
www.groupesoloviev.com
We help businesses manage cyber risk and compliance requirements.
{{ DiscussionBoard.errors[7671685].message }}

Watch Out - Hard To Detect Wordpress Hacking

Trending Topics

Any thoughts on golf's latest phenom...Scottie Scheffler??

The Twilight Zone

What's the Best IM-Related Skill to Learn Today That Can Help in the Future?

best high quality crypto traffic.

Should i Index Author pages?